DeepSeek Chat Cross-Site Scripting Vulnerability Allowing JavaScript Execution

A cross-site scripting (XSS) vulnerability has been identified in DeepSeek Chat version 3.2. This issue arises from the web interface's improper handling of model-generated SVG content, which can execute arbitrary JavaScript in the user's browser. The vulnerability allows for the execution of JavaScript through crafted messages that exploit the active nature of SVG in modern browsers.

Impact

Exploitation of this vulnerability enables arbitrary JavaScript execution within the DeepSeek Chat domain. This could lead to account or session compromise, depending on cookie flags, and allow Cross-Site Request Forgery (CSRF) actions to be performed under the victim's session. Additionally, it creates opportunities for UI manipulation, phishing, and data exfiltration via remote requests.

Reproduction

To reproduce this vulnerability, send a message containing untrusted SVG data with event attributes such as 'onload' or 'onclick'. When the message is viewed, the embedded JavaScript will execute automatically.

Remediation

Users are advised to avoid loading untrusted SVG content in DeepSeek Chat, use non-web clients when possible, and log out after sessions. For the vendor, it is recommended to sanitize SVG input with libraries like DOMPurify, strip event attributes and scriptable SVG elements, apply a strict Content Security Policy, and consider rasterizing SVG server-side or sandboxing rendering environments.